search

sysdiglabs / terraform-provider-sysdig

Sysdig Terraform provider. Allow to handle Sysdig Secure policies as code.
https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs
Mozilla Public License 2.0
48 stars 48 forks source link

sysdig_secure_rule_falco not working with append=true #211

Closed omaen closed 1 year ago

omaen commented 1 year ago

Hi,

I'm trying to appends some exceptions to an existing Sysdig managed rule and are having some issues. First of, #200 sounds like good improvement. When is this coming in a new release?

Related to this, the usage of exceptions when using append = true is not in line with the Falco documentation: https://falco.org/docs/rules/exceptions/#exception-syntax-shortcuts

The terraform provider requires fields, comps and values which makes extending an existing exception impossible. If I supply all fields for an existing exception with just adding a few values i get:

sysdig_secure_rule_falco.actions_runner_system: Creating...
╷
│ Error: Can not append exception fields to existing rule, only values
│
│   with sysdig_secure_rule_falco.actions_runner_system,
│   on main.tf line 60, in resource "sysdig_secure_rule_falco" "actions_runner_system":
│   60: resource "sysdig_secure_rule_falco" "actions_runner_system" {
│
╵

If i remove the fields I get this:

│ Error: Missing required argument
│
│   on main.tf line 64, in resource "sysdig_secure_rule_falco" "actions_runner_system":
│   64:   exceptions {
│
│ The argument "fields" is required, but no definition was found.

And last, if I try to add a new exception to an existing rule it seems like the exception is added outside the exception parenthesis, which makes the syntax invalid. Take this resource for example:

resource "sysdig_secure_rule_falco" "actions_runner_system" {
  name      = "Create Privileged Pod"
  append    = true
  condition = "kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true)"
  exceptions {
    name   = "namespace_image"
    fields = ["ka.target.namespace", "ka.req.pod.containers.image"]
    comps  = ["=", "="]
    values = jsonencode([
      [
        "<some namespace>", "<some container image>"
      ]
    ])
  }
}

Produces the following error. Take note of the misplaced parenthesis at gke.gcr.io/netd )) and not (( ka.target.namespace:

│ Error: Compilation error when compiling "kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not (ka.req.pod.containers.image.repository in ( docker.io/calico/node, calico/node, docker.io/cloudnativelabs/kube-router, docker.io/docker/ucp-agent, docker.io/falcosecurity/falco, docker.io/mesosphere/mesos-slave, docker.io/rook/toolbox, docker.io/sysdig/falco, docker.io/sysdig/sysdig, falcosecurity/falco, gcr.io/google_containers/kube-proxy, gcr.io/google-containers/startup-script, gcr.io/projectcalico-org/node, gke.gcr.io/kube-proxy, gke.gcr.io/gke-metadata-server, gke.gcr.io/netd-amd64, gcr.io/google-containers/prometheus-to-sd, k8s.gcr.io/ip-masq-agent-amd64, k8s.gcr.io/kube-proxy, k8s.gcr.io/prometheus-to-sd, quay.io/calico/node, sysdig/falco, sysdig/sysdig, docker.io/sematext/sematext-agent-docker, docker.io/sematext/agent, docker.io/sematext/logagent, registry.access.redhat.com/sematext/sematext-agent-docker, registry.access.redhat.com/sematext/agent, registry.access.redhat.com/sematext/logagent, quay.io/sysdig/agent-kmodule, docker.io/sysdig/agent, docker.io/sysdig/agent-slim, docker.io/sysdig/node-image-analyzer, sysdig/agent, sysdig/agent-slim, sysdig/node-image-analyzer, quay.io/sysdig/compliance-benchmark-runner, quay.io/sysdig/agent, quay.io/sysdig/node-image-analyzer, quay.io/sysdig/secure-inline-scan, quay.io/sysdig/host-analyzer, quay.io/sysdig/agent-slim, quay.io/sysdig/kspm-analyzer, quay.io/sysdig/kspm-collector, quay.io/sysdig/cspm, quay.io/sysdig/cspm-analyzer, sysdig-host-analyzer, sysdig-runtime-scanner, vuln-runtime-scanner, public.ecr.aws/falcosecurity/falco, quay.io/cilium/cilium, gke.gcr.io/netd )) and not (( ka.target.namespace = "<some namespace>" and  ka.req.pod.containers.image = "<some container image>"))": 81: unexpected token after ')', expecting 'or', 'and'
│
│   with sysdig_secure_rule_falco.actions_runner_system,
│   on main.tf line 60, in resource "sysdig_secure_rule_falco" "actions_runner_system":
│   60: resource "sysdig_secure_rule_falco" "actions_runner_system" {
github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] commented 1 year ago

This issue has been closed due to inactivity.